The Reserve Bank of New Zealand was not the direct target of a cyber attack that breached its data systems, it says.
In an update, RBNZ governor Adrian Orr said the breach was the result of the third party provider, Acellion, being hacked.
Acellion is a Californian based software firm which provides secure file sharing services.
"We have been advised by the third party provider that this wasn't a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised," Orr said.
The compromised data may include some commercially and personally sensitive information but it would take time before RBNZ could be certain.
The new development came after a cyber security expert suggested the RBNZ was likely hacked by another government.
"We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation," Orr said.
"This includes the GCSB's National Cyber Security Centre which has been notified and is providing guidance and advice."
RNZ has learned that minister of finance Grant Robertson had been informed about the attack and was keeping a close eye on the situation.
Orr said he understood the high level of public interest in the data breach but was not in a position to release any further details.
"Providing any further details at this early stage could adversely affect the investigation and the steps being taken to mitigate the breach."
The RBNZ is charged with overseeing the country's monetary policy and supporting the financial system as a whole.
In October, the bank announced it was taking steps to ensure retail banks and other regulated financial services improved their cyber security.
It released a draft guidance, which would apply to the financial entities it regulated, and draws heavily from international cyber security standards.
Last May, RBNZ said in a discussion document its cyber security systems were not up to scratch and there was a "high operational risk due technical obsolescence and an underinvestment in security across many of the core technology platforms".
It said it wanted to lower operational risk by a "phased migration to resilient platforms underpinning our business".